Microsoft patches Active Directory flaw

Microsoft released six sets of security patches Tuesday that address critical flaws in its products, including a bug in Active Directory software.

The software vendor also fixed critical vulnerabilities in Excel and the .Net Framework as well as less-critical bugs in Microsoft Office Publisher, Internet Information Services (IIS), and the Vista firewall. The six updates addressed a total of 11 bugs.

The MS07-039 Active Directory update, which is for Windows 2000 Server and Windows Server 2003 systems, should be at the top of enterprise IT administrators' lists, said Eric Schultze, chief security architect with Shavlik Technologies. "That one scares me because those are the crown jewels there. And it looks like you're caught with your pants down at the moment."

The flaw deals with the way Active Directory processes LDAP client requests. Attackers could create a malicious LDAP request that would then allow them to "take complete control of an affected system," Microsoft warned in its advisory on the flaw.

Active Directory enables LDAP by default, but there are factors that mitigate a possible attack. The flaw can be exploited by an anonymous user attacking a Windows 2000 Server, but with Windows Server 2003 a hacker would need to have user credentials for the attack to work.

Also, Windows Active Directory servers are typically protected by the firewall, so the attacker would most likely have to be inside the corporate network, Schultze said.

The Excel and .Net Framework updates each fix three vulnerabilities in these products and are both rated critical by Microsoft because they could be exploited by attackers to install unauthorized software on a victim's computer.

Two of the less-critical patches are also noteworthy. The MS07-041 patch fixes a flaw that could allow an attacker to take over a Windows XP-based Web server by sending specially crafted URL requests. Microsoft rated this flaw as "important" rather than "critical," however, because it only affects XP systems, and IIS is not installed by default on XP.

Microsoft also patched a flaw in the Windows Vista firewall. The bug, which is in Vista's Teredo IPv6 tunneling protocol, would allow an attacker to find out if a Vista computer is on the network. Normally the Vista firewall should simply block unsolicited traffic trying to communicate over the Teredo interface.

The bug could not be exploited to take over a Vista machine and is considered low risk, Schultze said. "If Teredo is turned on, something within it would give a response back, even though the firewall is turned on," he said.

Microsoft has released 41 updates so far in 2007. That's a little ahead of the 39 updates it had released by this time last year.